Authentication Profile PIP¶
This PIP has been introduced in Argus 1.7.1
This PIP uses the informations extracted from the certificate by Common XACML Authorization Profile PIP and Grid Authorization Profile PIP, so it must be configured as the last PIP into the PEP server.
This PIP looks in the request subject attributes for the attribute containing subject of the CA that issued the certificate contained in the request, and the attribute containing the VO name linked to the request.
If no attribute is found holding the CA subject, the PIP returns without modifying the request. Otherwise, this PIP checks whether the included certificate subject and VOMS attributes are allowed by local authentication profile policies.
If the policies are NOT met, subject and VOMS attributes are removed from the request.
If the policies are met, the
x509-authn-profile attribute is set, containing the
authentication profile resolved for the request.
- Create a new INI section for the PIP, with any valid INI section name
- In this section add the
parserClassproperty with the value
- Add the
authenticationProfilePolicyFileproperty with a value corresponding to the absolute path of the authentication profile policies file, traditionally
- Add the
trustAnchors.directoryproperty with a value of the absolute path of the trust anchors directory, where the PIP search the policy info files, typically
- Add the
trustAnchors.policyFilePatternproperty with a value corresponding to a bash globbing expression that matches the policy info files, e.g.
- Optionally, add the
trustAnchors.refreshIntervalInSecsproperty with a value in seconds, that is the refresh time interval used by the PIP to reload the policy files, e.g. 14400.
The Argus 1.7.1 packages provide a default authentication profile policy file located
This file grants the access only to certificates issued by CAs in
the IGTF classic, mics and slcs profiles.
PIP Configuration Properties¶
||Absolute path of authentication profile policy file||Yes||
||Absolute path where policy info files are located||No||
||Regular expression that matches the policy files to read||No||
||Time, in seconds, with which the PIP reload the policy files||No||14400|
Populated Effective Request Attributes¶
This PIP will process the request subject
x509-subject-issuer attribute and
populate the following attribute:
- The X.509 Authentication Profile Attribute
- type: Subject
- id: http://glite.org/xacml/attribute/x509-authn-profile
- data type: http://www.w3.org/2001/XMLSchema#string
- multiple values allowed: yes
- description: The alias of the policy file that contains the DN of the CA issuer.
Required Request Attributes¶
This PIP requires that the request environment contains the attributes extracted from the X.509 certificate/proxy by the other PIPs.
- The X.509 Subject Issuer Attribute
- type: Subject
- id: http://glite.org/xacml/attribute/x509-subject-issuer
- data type: urn:oasis:names:tc:xacml:1.0:data-type:x500Name
- multiple values allowed: no
- description: Distinguished Name of the CA issuer.
The following example shows a PEP Server configuration with the Authentication Profile PIP enabled.
[SERVICE] entityId = https://argus.example.org/pep hostname = argus.example.org pips = COMMONXACMLPROFILE_PIP AUTHN_PROFILE_PIP [PDP] pdps = https://argus.example.org:8152/authz [AUTHN_PROFILE_PIP] parserClass = org.glite.authz.pep.pip.provider.authnprofilespip.AuthenticationProfilePIPConfigurationParser authenticationProfilePolicyFile = /etc/argus/pepd/vo-ca-ap-file trustAnchors.directory = /etc/grid-security/certificates trustAnchors.policyFilePattern = policy-*.info trustAnchors.refreshIntervalInSecs = 14400